Session Management in Shibboleth

Federated identity involves many different sessions that are established between the user and services. Most of these sessions are persisted through cookies, which are associated with additional session information at the provider or application.

All these sessions are pretty much independent and distinct: any session can exist with or without any other session, and the expiration of any one session does not imply the expiration of any other session. Some sessions can be associated with each other through use of common identifiers. This makes single log-out a very difficult problem.

For reference, see the draft OpenID Connect Session Management specification.

A session established by the application may persist well beyond the Shibboleth session. Unless the application is enhanced, logouts from the application often will not terminate a Shibboleth session initiated to access the resource. Unless configured and designed to do so, the converse is true as well: logging out of Shibboleth will not remove application sessions. The duration of sessions should be coordinated when possible, since their expiration affects the user experience and can cause confusion. This should be weighed against the vulnerability of impersonation, malicious or otherwise, due usually to user negligence.